question: How do roles work now

[MVethana]

Previously utilizing caddy-authorize, this line for roles worked

allow roles User Admin

How would this be implemented in caddy-security, the docs don't seem to be updated yet. The repo's description includes this snippet,
allow roles authp/admin authp/user, but am unsure how to implement this in my existing Caddyfile, specifically I am using organizr's jwt, https://docs.organizr.app/features/server-authentication

[greenpau]

@MVethana , please see if this makes sense:

{
	debug
	local_certs
	http_port 8080
	https_port 8443

	security {

		authorization policy app1policy {
			set auth url /auth/
			crypto key verify 01ee2688-36e4-47f9-8c06-d18483702520
			allow roles authp/admin authp/user
		}

		authorization policy app2policy {
			set auth url /auth/
			crypto key verify 01ee2688-36e4-47f9-8c06-d18483702520
			allow roles authp/admin authp/user
		}
	}
}

127.0.0.1, localhost {
	route /version* {
		respond * "1.0.0" 200
	}

	route /app1/* {
		authorize with app1policy
		file_server {
			root ./app1/assets/config
		}
	}

	route /app2/* {
		authorize with app2policy
		file_server {
			root ./app2/assets/config
		}
	}

	route {
		respond * "OK" 200
	}
}

[MVethana]

@greenpau Where does the "authp/" come from, is this a set keyword or is it dynamic from the contents of the jwt we are using. This is an example jwt that I am using,

{ "iss": "Organizr", "aud": "Organizr", "jti": "4f1g23a12aa", "iat": 1555553579, "exp": 1556158379, "username": "myusername", "group": "Admin", "groupID": 0, "email": "mail@spam.com", "image": "https://www.gravatar.com/avatar/901d703edb7a7f21a92ae87f29484d01?s=100&d=mm", "userID": 1 }

[greenpau]

Where does the "authp/" come from, is this a set keyword or is it dynamic from the contents of the jwt we are using. This is an example jwt that I am using,

@MVethana , it is set when authenticating with auth portal.

In your case, you have "group": "Admin", So...

		authorization policy app1policy {
			set auth url /auth/
			crypto key verify 01ee2688-36e4-47f9-8c06-d18483702520
			allow roles Admin
		}

[greenpau]

@MVethana , you obviously need to change the key. More about it here: https://authp.github.io/docs/authorize/token-verification

[MVethana]

Anyway to debug the specific cause of a user authorization failed error, in that case that line has not changed for me from when I switched over from caddy-authorize yet I'm getting errors now

[greenpau]

@MVethana , the group, groups, role, roles are all treated as "roles" for the purpose of access control.

https://github.com/greenpau/aaasf/blob/74a812ced08a97de256432e2da810bea8ea27a13/pkg/user/user.go#L903-L906

[MVethana]

Specifically debug is giving me
security token validation error {"session_id": "", "request_id": "[redacted]", "error": "no token found"}

[greenpau]

Specifically debug is giving me
security token validation error {"session_id": "", "request_id": "[redacted]", "error": "no token found"}

@MVethana , the handler looks for tokens in the way described here.

Do you provide the token in a cookie? bearer? etc.?

Based on the above, I will guide you to the relevant command(s).

[MVethana]

@greenpau The setup I have was working with caddy-authorize, crypto key token name is set and not specifying set token sources

[greenpau]

@greenpau The setup I have was working with caddy-authorize, crypto key token name is set and not specifying set token sources

@MVethana , I get it! I need this info to troubleshoot. It narrows the scope of inquiry for me.

[MVethana]

@greenpau Seems to be a cookie from the organizr docs

[greenpau]

Seems to be a cookie from the organizr docs

@MVethana , I have a guess about it. Let's try this then.

		authorization policy app1policy {
			set auth url {env.REDIRECT_URL}
			crypto key verify {env.JWT_SHARED_KEY}
			crypto key token name organizr_token_<uuid>
			set token sources cookie header query
			validate bearer header
			acl rule {
			    comment allow admins only
			    match iss Organizr
			    match role Admin
			    allow stop log info
			}
			acl rule {
			    comment default deny
			    always match iss any
			    deny log warn
			}
		}

Please change <uuid> to the value from $this->config['uuid'].

Just to confirm does the verify key matches the one from $this->config['organizrHash']?

[greenpau]

@MVethana , with the above ACLs, we will see what is being hit and what type of data is there.

Also, please use caddy-trace plugin to see what is being received by the authorize. Something like this. The log entries will have the organizr tags in them.

  route {
    trace tag="organizr"
    authorize with app1policy

Please create a gist with the logs.

[MVethana]

With the acl above this is what I am receiving,

DEBUG security redirecting unauthorized user {"session_id": "", "request_id": "[redacted]", "method": "location"} 2022/01/21 18:21:44.442 ERROR http.handlers.authentication auth provider returned error {"provider": "authorizer", "error": "user authorization failed"}

Will run caddy-trace and see what authorize is getting in just a bit

[greenpau]

DEBUG security redirecting unauthorized user {"session_id": "", "request_id": "[redacted]", "method": "location"} 2022/01/21 18:21:44.442 ERROR http.handlers.authentication auth provider returned error {"provider": "authorizer", "error": "user authorization failed"}

@MVethana , what at the messages above this one? This just tells me that authorization has failed and authorizer redirects a user with Location based redirect.

By the way, you could also disable the redirect for the troubleshooting:

		authorization policy app1policy {
		    disable auth redirect

Will run caddy-trace and see what authorize is getting in just a bit

That would be the source of the info.

What is strange is that you are not seeing "hit" log messages from ACL. Which might mean that the authorization is failing at the token discovery phase.

[MVethana]

With redirect disabled confirmed that verify key and token name are correct, any way to privately send you the gist @greenpau ?

[greenpau]

@MVethana , please send it to greenpau@outlook.com

[MVethana]

Sent
Fixed the file, should be good now @greenpau

[greenpau]

Fixed the file, should be good now

@MVethana , there is only 1 line with "tag":"Organizr" in the gist.

[greenpau]

@MVethana , here is what I see.

The request comes with 2 cookies. I replaced UUID instead of redacting them.

    {
      "Name": "organizr_user_uuid",
      "Value": "be656182-623f-446f-aafd-75f7d06716e0",
      "Path": "",
      "Domain": "",
      "Expires": "0001-01-01T00:00:00Z",
      "RawExpires": "",
      "MaxAge": 0,
      "Secure": false,
      "HttpOnly": false,
      "SameSite": 0,
      "Raw": "",
      "Unparsed": null
    },
    {
      "Name": "organizr_token_cf426e09-2863-4ac8-b513-17bfe9cbae2d",
      "Value": "REDACTED",
      "Path": "",
      "Domain": "",
      "Expires": "0001-01-01T00:00:00Z",
      "RawExpires": "",
      "MaxAge": 0,
      "Secure": false,
      "HttpOnly": false,
      "SameSite": 0,
      "Raw": "",
      "Unparsed": null
    },

You need to set crypto key token name organizr_token_<uuid> to something like in this example:

crypto key token name organizr_token_cf426e09-2863-4ac8-b513-17bfe9cbae2d

Please confirm that you did that.

[MVethana]

Yes I have, can confirm that crypto key verify and crypto key token name are the correct values, the exact same key verify and name was used yesterday working with caddy-authorize and I checked again to confirm nothing had changes and they are both still correct

[greenpau]

@MVethana , confirmed bug with validator.

[MVethana]

@greenpau Any idea how long of an eta for a fix or is it better to revert back to caddy-authorize for now?

[greenpau]

@MVethana , another 30 mins.

[greenpau]

@MVethana , released fix in https://github.com/greenpau/caddy-security/releases/tag/v1.0.2

Please retest and re-open if necessary.

Do not use order, use routes. See https://gist.github.com/greenpau/6abb58bf7b523210c39c8138c6a6417f

[MVethana]

@greenpau Still seems to be an issue on my end, tried a couple different things following the gist and still not working, can confirm I am using routes aswell. Let me know what you need to debug this further

[greenpau]

Please post you full config in a gist. Share via email.

[MVethana]

Sent

[MVethana]

@greenpau I've narrowed it down and it makes no sense to me, the config I sent to you does not work with caddy-security on its own, however the moment I add caddy-security & caddy-trace together without even including a "trace tag=" in the route, config works as expected. Is caddy-trace required with caddy-security now? Or is this a bug?

[MVethana]

@greenpau To make sure I am not going crazy, redownloaded caddy, one with just caddy-security, one with caddy-security & caddy-trace, I copied and pasted the config from the gist I sent you last night and am using that with my crypto key verify added back, nothing else has been changed

Only with caddy-trace added does the config work, even though I have no trace tag in the config

[greenpau]

Idk yet. Let's tackle one issue at a time. Add "debug on" above security. Then, so the trace with logs and let's see what is working.

[greenpau]

Only with caddy-trace added does the config work, even though I have no trace tag in the config

this could be an issue with the download builds, i.e. unrelated to the security app.

[MVethana]

Just emailed you a gist of the config working with security and trace installed with trace tag="overseerr", let me know what else you need

[greenpau]

@MVethana , side note. Previously when trace was enabled I saw tokenzr cookies appear twice (each of them) in a request.

[MVethana]

Tokenzr?

[greenpau]

@MVethana , disregard the above for now. I looked at the logs without trace and I see ACL hots saying the traffic is allowed.

what is not working right now?

[MVethana]

The gist I sent you works as intended, removing the trace tag and removing caddy-trace results in this config not working.

[greenpau]

The gist I sent you works as intended, removing the trace tag and removing caddy-trace results in this config not working.

@MVethana , please create non-working serup. please email me the gists of the following

1. output of caddy list-modules -versions
2. Caddyfile
3. Logs with debug enabled

[MVethana]

That was it, when downloading caddy from the website with the features selected, downloading trace and security gives, 1.0.2 whereas downloading security standalone provides 1.0.1

[MVethana]

Caddyserver.com says it is providing version latest but clearly the old one is still cached somehow

[MVethana]

Downloading a different combination of caddy-security and caddy2-filter also results in the site providing 1.0.1 instead of 1.0.2

[greenpau]

@MVethana , let’s consider this issue closed. Please goto caddy.community forum and ask for help with the Download page.

you could also specify version number in the input box next to plugin name when downloading from caddy website.

[greenpau]

@MVethana , please see https://github.com/greenpau/caddy-security/issues/14#issue-1111599735